@@ -12,6 +12,7 @@ pub fn init() {
1212 // initialize lazy_static maps
1313 initialize ( & PATHS ) ;
1414 initialize ( & MOUNTS ) ;
15+ initialize ( & DEFAULT_ALLOWED_DEVICES ) ;
1516 initialize ( & APPLIES ) ;
1617}
1718
@@ -242,6 +243,59 @@ lazy_static! {
242243 } ;
243244}
244245
246+ lazy_static ! {
247+ static ref DEFAULT_ALLOWED_DEVICES : Vec <LinuxDeviceCgroup > = {
248+ let mut v = Vec :: new( ) ;
249+ // mknod any device
250+ v. push( LinuxDeviceCgroup {
251+ allow: true ,
252+ typ: LinuxDeviceType :: c,
253+ major: None ,
254+ minor: None ,
255+ access: "m" . to_string( ) ,
256+ } ) ;
257+ v. push( LinuxDeviceCgroup {
258+ allow: true ,
259+ typ: LinuxDeviceType :: b,
260+ major: None ,
261+ minor: None ,
262+ access: "m" . to_string( ) ,
263+ } ) ;
264+ // /dev/console
265+ v. push( LinuxDeviceCgroup {
266+ allow: true ,
267+ typ: LinuxDeviceType :: c,
268+ major: Some ( 5 ) ,
269+ minor: Some ( 1 ) ,
270+ access: "rwm" . to_string( ) ,
271+ } ) ;
272+ // /dev/pts
273+ v. push( LinuxDeviceCgroup {
274+ allow: true ,
275+ typ: LinuxDeviceType :: c,
276+ major: Some ( 136 ) ,
277+ minor: None ,
278+ access: "rwm" . to_string( ) ,
279+ } ) ;
280+ v. push( LinuxDeviceCgroup {
281+ allow: true ,
282+ typ: LinuxDeviceType :: c,
283+ major: Some ( 5 ) ,
284+ minor: Some ( 2 ) ,
285+ access: "rwm" . to_string( ) ,
286+ } ) ;
287+ // tun/tap
288+ v. push( LinuxDeviceCgroup {
289+ allow: true ,
290+ typ: LinuxDeviceType :: c,
291+ major: Some ( 10 ) ,
292+ minor: Some ( 200 ) ,
293+ access: "rwm" . to_string( ) ,
294+ } ) ;
295+ v
296+ } ;
297+ }
298+
245299type Apply = fn ( & LinuxResources , & str ) -> Result < ( ) > ;
246300
247301lazy_static ! {
@@ -468,5 +522,9 @@ fn devices_apply(r: &LinuxResources, dir: &str) -> Result<()> {
468522
469523 write_device ( & ld, dir) ?;
470524 }
525+ for ld in DEFAULT_ALLOWED_DEVICES . iter ( ) {
526+ write_device ( ld, dir) ?;
527+ }
528+
471529 Ok ( ( ) )
472530}
0 commit comments